XCCDF-Results to HDF

.github/workflows/build.yml

@@ -56,6 +56,12 @@ jobs:
           jq 'del(.version, .platform.release)' sarif_output.json > sarif_output_jq.json
           jq 'del(.version, .platform.release)' ./sample_jsons/sarif_mapper/sarif_output.json > sarif_sample.json
           diff sarif_sample.json sarif_output_jq.json
+      - name: Test xccdf mapper
+        run: |
+          heimdall_tools xccdf_results_mapper -x ./sample_jsons/xccdf_results_mapper/sample_input_report/xccdf-results.xml -o xccdf_output.json
+          jq 'del(.version, .platform.release)' xccdf_output.json > xccdf_output_jq.json
+          jq 'del(.version, .platform.release)' ./sample_jsons/xccdf_results_mapper/xccdf-hdf.json > xccdf_sample.json
+          diff xccdf_sample.json xccdf_output_jq.json
       - name: Test zap mapper webgoat.json
         run: |
           heimdall_tools zap_mapper -j ./sample_jsons/zap_mapper/sample_input_jsons/webgoat.json -n "http://mymac.com:8191" -o zap_output_webgoat.json

.rubocop_todo.yml

@@ -1,6 +1,6 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config`
-# on 2021-06-07 14:26:06 UTC using RuboCop version 1.16.0.
+# on 2021-06-07 20:33:06 UTC using RuboCop version 1.16.0.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
@@ -37,12 +37,12 @@ Lint/UnusedMethodArgument:
   Exclude:
     - 'lib/heimdall_tools/hdf.rb'
 
-# Offense count: 34
+# Offense count: 37
 # Configuration parameters: IgnoredMethods, CountRepeatedAttributes.
 Metrics/AbcSize:
-  Max: 73
+  Max: 124
 
-# Offense count: 4
+# Offense count: 5
 # Configuration parameters: CountComments, CountAsOne, ExcludedMethods, IgnoredMethods.
 # IgnoredMethods: refine
 Metrics/BlockLength:
@@ -53,7 +53,7 @@ Metrics/BlockLength:
 Metrics/BlockNesting:
   Max: 5
 
-# Offense count: 8
+# Offense count: 9
 # Configuration parameters: CountComments, CountAsOne.
 Metrics/ClassLength:
   Max: 175
@@ -63,7 +63,7 @@ Metrics/ClassLength:
 Metrics/CyclomaticComplexity:
   Max: 17
 
-# Offense count: 38
+# Offense count: 40
 # Configuration parameters: CountComments, CountAsOne, ExcludedMethods, IgnoredMethods.
 Metrics/MethodLength:
   Max: 56

lib/heimdall_tools.rb

@@ -18,4 +18,5 @@ module HeimdallTools
   autoload :NetsparkerMapper, 'heimdall_tools/netsparker_mapper'
   autoload :SarifMapper, 'heimdall_tools/sarif_mapper'
   autoload :ScoutSuiteMapper, 'heimdall_tools/scoutsuite_mapper'
+  autoload :XCCDFResultsMapper, 'heimdall_tools/xccdf_results_mapper'
 end

lib/heimdall_tools/cli.rb

@@ -41,6 +41,15 @@ def burpsuite_mapper
       File.write(options[:output], hdf)
     end
 
+    desc 'xccdf_results_mapper', 'xccdf_results_mapper translates SCAP client XCCDF-Results XML report to HDF format Json be viewed on Heimdall'
+    long_desc Help.text(:xccdf_results_mapper)
+    option :xml, required: true, aliases: '-x'
+    option :output, required: true, aliases: '-o'
+    def xccdf_results_mapper
+      hdf = HeimdallTools::XCCDFResultsMapper.new(File.read(options[:xml])).to_hdf
+      File.write(options[:output], hdf)
+    end
+
     desc 'nessus_mapper', 'nessus_mapper translates nessus xml report to HDF format Json be viewed on Heimdall'
     long_desc Help.text(:nessus_mapper)
     option :xml, required: true, aliases: '-x'

lib/heimdall_tools/nessus_mapper.rb

@@ -25,8 +25,6 @@
 
 NA_PLUGIN_OUTPUT = 'This Nessus Plugin does not provide output message.'.freeze
 
-# rubocop:disable Metrics/AbcSize
-
 # Loading spinner sign
 $spinner = Enumerator.new do |e|
   loop do

lib/heimdall_tools/xccdf_results_mapper.rb

@@ -0,0 +1,161 @@
+require 'json'
+require 'csv'
+require 'heimdall_tools/hdf'
+require 'utilities/xml_to_hash'
+require 'nokogiri'
+
+RESOURCE_DIR = Pathname.new(__FILE__).join('../../data')
+
+# XCCDF mapping for converting SCAP client (SCC or OpenSCAP) outputs to HDF
+# SCC output from the RHEL7 Lockdown image was used for testing
+
+U_CCI_LIST =   File.join(RESOURCE_DIR, 'U_CCI_List.xml')
+
+IMPACT_MAPPING = {
+  critical: 0.9,
+  high: 0.7,
+  medium: 0.5,
+  low: 0.3,
+  na: 0.0
+}.freeze
+
+# severity maps to high, medium, low with weights all being 10.0 from the xml
+# it doesn't really look like SCAP or SCC cares about that value, just if its high, med, or low
+
+CWE_REGEX = 'CWE-(\d*):'.freeze
+CCI_REGEX = 'CCI-(\d*)'.freeze
+
+DEFAULT_NIST_TAG = %w{SA-11 RA-5 Rev_4}.freeze
+
+module HeimdallTools
+  class XCCDFResultsMapper
+    def initialize(scap_xml, _name = nil)
+      @scap_xml = scap_xml
+      read_cci_xml
+      begin
+        data = xml_to_hash(scap_xml)
+        @results = data['Benchmark']['TestResult']
+        @benchmarks = data['Benchmark']
+        @groups = data['Benchmark']['Group']
+      rescue StandardError => e
+        raise "Invalid SCAP Client XCCDF output XML file provided Exception: #{e}"
+      end
+    end
+
+    # change for pass/fail based on output Benchmark.rule
+    # Pass/Fail are the only two options included in the output file
+    def finding(issue, count)
+      finding = {}
+      finding['status'] = issue['rule-result'][count]['result'].to_s
+      if finding['status'] == 'pass'
+        finding['status'] = 'passed'
+      end
+      if finding['status'] == 'fail'
+        finding['status'] = 'failed'
+      end
+      finding['code_desc']      = NA_STRING
+      finding['run_time']       = NA_FLOAT
+      finding['start_time']     = issue['start-time']
+      finding['message']        = NA_STRING
+      finding['resource_class'] = NA_STRING
+      [finding]
+    end
+
+    def read_cci_xml
+      @cci_xml = Nokogiri::XML(File.open(U_CCI_LIST))
+      @cci_xml.remove_namespaces!
+    rescue StandardError => e
+      puts "Exception: #{e.message}"
+    end
+
+    def cci_nist_tag(cci_refs)
+      nist_tags = []
+      cci_refs.each do |cci_ref|
+        item_node = @cci_xml.xpath("//cci_list/cci_items/cci_item[@id='#{cci_ref}']")[0] unless @cci_xml.nil?
+        unless item_node.nil?
+          nist_ref = item_node.xpath('./references/reference[not(@version <= preceding-sibling::reference/@version) and not(@version <=following-sibling::reference/@version)]/@index').text
+        end
+        nist_tags << nist_ref
+      end
+      nist_tags
+    end
+
+    def get_impact(severity)
+      IMPACT_MAPPING[severity.to_sym]
+    end
+
+    def parse_refs(refs)
+      refs.map { |ref| ref['text'] if ref['text'].match?(CCI_REGEX) }.reject!(&:nil?)
+    end
+
+    # Clean up output by removing the Satsifies block and the end of the description
+    def satisfies_parse(satisf)
+      temp_satisf = satisf.match('Satisfies: ([^;]*)<\/VulnDiscussion>')
+      return temp_satisf[1].split(',') unless temp_satisf.nil?
+
+      NA_ARRAY
+    end
+
+    def desc_tags(data, label)
+      { data: data || NA_STRING, label: label || NA_STRING }
+    end
+
+    def collapse_duplicates(controls)
+      unique_controls = []
+
+      controls.map { |x| x['id'] }.uniq.each do |id|
+        collapsed_results = controls.select { |x| x['id'].eql?(id) }.map { |x| x['results'] }
+        unique_control = controls.find { |x| x['id'].eql?(id) }
+        unique_control['results'] = collapsed_results.flatten
+        unique_controls << unique_control
+      end
+      unique_controls
+    end
+
+    def to_hdf
+      controls = []
+      @groups.each_with_index do |group, i|
+        @item = {}
+        @item['id'] = group['Rule']['id'].split('.').last.split('_').drop(2).first.split('r').first.split('S')[1]
+        @item['title']               = group['Rule']['title'].to_s
+        @item['desc']                = group['Rule']['description'].to_s.split('Satisfies').first
+        @item['descriptions']		 = []
+        @item['descriptions']		 << desc_tags(group['Rule']['description'], 'default')
+        @item['descriptions']		 << desc_tags('NA', 'rationale')
+        @item['descriptions']		 << desc_tags(group['Rule']['check']['check-content-ref']['name'], 'check')
+        @item['descriptions']		 << desc_tags(group['Rule']['fixtext']['text'], 'fix')
+        @item['impact']				 = get_impact(group['Rule']['severity'])
+        @item['refs']				 = NA_ARRAY
+        @item['tags']				 = {}
+        @item['tags']['severity']    = nil
+        @item['tags']['gtitle']      = group['title']
+        @item['tags']['satisfies']   = satisfies_parse(group['Rule']['description'])
+        @item['tags']['gid']         = group['Rule']['id'].split('.').last.split('_').drop(2).first.split('r').first
+        @item['tags']['legacy_id']   = group['Rule']['ident'][2]['text']
+        @item['tags']['rid']         = group['Rule']['ident'][1]['text']
+        @item['tags']['stig_id']     = @benchmarks['id']
+        @item['tags']['fix_id']      = group['Rule']['fix']['id']
+        @item['tags']['cci']         = parse_refs(group['Rule']['ident'])
+        @item['tags']['nist']        = cci_nist_tag(@item['tags']['cci'])
+        @item['code']                = NA_STRING
+        @item['source_location'] = NA_HASH
+        # results were in another location and using the top block "Benchmark" as a starting point caused odd issues. This works for now for the results.
+        @item['results'] = finding(@results, i)
+        controls << @item
+      end
+
+      controls = collapse_duplicates(controls)
+      results = HeimdallDataFormat.new(profile_name: @benchmarks['id'],
+                                       version: @benchmarks['style'],
+                                       duration: NA_FLOAT,
+                                       title: @benchmarks['title'],
+                                       maintainer: @benchmarks['reference']['publisher'],
+                                       summary: @benchmarks['description'],
+                                       license: @benchmarks['notice']['id'],
+                                       copyright: @benchmarks['metadata']['creator'],
+                                       copyright_email: '[email protected]',
+                                       controls: controls)
+      results.to_hdf
+    end
+  end
+end